From 6474fe0afa91ddf7aeb60c23e52669a9baf4ba20 Mon Sep 17 00:00:00 2001 From: Dan Date: Wed, 3 Jan 2024 11:41:28 +0000 Subject: [PATCH] Only the current user can modify thier own data --- .../bridge-server/src/authorization/onlyme.guard.ts | 13 +++++++++++++ .../bridge-server/src/users/users.controller.ts | 3 ++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 packages/bridge-server/src/authorization/onlyme.guard.ts diff --git a/packages/bridge-server/src/authorization/onlyme.guard.ts b/packages/bridge-server/src/authorization/onlyme.guard.ts new file mode 100644 index 0000000..d015f31 --- /dev/null +++ b/packages/bridge-server/src/authorization/onlyme.guard.ts @@ -0,0 +1,13 @@ +import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common'; + +@Injectable() +export class OnlyMeGuard implements CanActivate { + constructor() {} + + canActivate(context: ExecutionContext): boolean { + const request = context.switchToHttp().getRequest(); + const user = request.user; + + return request.params.id == user.sub; + } +} \ No newline at end of file diff --git a/packages/bridge-server/src/users/users.controller.ts b/packages/bridge-server/src/users/users.controller.ts index 09460e7..79a3fa3 100644 --- a/packages/bridge-server/src/users/users.controller.ts +++ b/packages/bridge-server/src/users/users.controller.ts @@ -1,6 +1,7 @@ import { Body, Controller, Get, Param, Post, UseGuards } from '@nestjs/common'; import { JwtAuthGuard } from 'src/authz/authz.guard'; import { UsersService } from './users.service'; +import { OnlyMeGuard } from 'src/authorization/onlyme.guard'; @Controller('users') export class UsersController { @@ -19,7 +20,7 @@ export class UsersController { return this.usersService.updateLastLogin(body.id, body.nickname, body.picture, body.time); } - @UseGuards(JwtAuthGuard) + @UseGuards(JwtAuthGuard, OnlyMeGuard) @Post(':id/update') async updateUserDetails(@Body() body: any) { await this.usersService.updateUserDetails(body.id, body.nickname, body.realname);